High severityNVD Advisory· Published May 17, 2022· Updated Aug 3, 2024

CVE-2022-30963

Description

Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:JDK_Parameter_PluginMaven	<= 1.0	—

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/JDK_Parameter_Plugin
Range: <= 1.0
Jenkins Project/Jenkins Image Tag Parameter Plugincpe-rescue
Range: unspecified

Patches

Vulnerability mechanics

Root cause

"Missing output escaping of JDK parameter name and description in Jelly views allows stored cross-site scripting."

Attack vector

An attacker with Item/Configure permission can set a malicious name or description for a JDK parameter. When other users view a page that displays that parameter (such as the build configuration or parameterized build page), the unsanitized input is rendered in the browser, allowing arbitrary JavaScript execution. The attack is stored because the malicious payload persists in the parameter definition until removed. [CWE-79]

What the fix does

The patch sets the Jelly variable `escapeEntryTitleAndDescription` to `true` in three view templates (`config.jelly`, `index.jelly`, `value.jelly`). This variable instructs Jenkins' form entry tag to HTML-escape the `title` and `description` attributes before rendering, preventing injected script tags or event handlers from being interpreted as code. The same defense pattern (SECURITY-353) has been applied in other Jenkins plugins for similar XSS issues.

Preconditions

authAttacker must have Item/Configure permission on a Jenkins job
configThe job must use a JDK parameter (JavaParameterDefinition)

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5pmp-7wc9-v7vwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-30963ghsaADVISORY
www.jenkins.io/security/advisory/2022-05-17/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2022-05-17
Jenkins Security Advisories · May 17, 2022

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000